[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-36-g0136662

[Michael Gilbert]

The following commit has been merged in the debian/unstable branch:
commit da1cd7ef4e75839c1e114bb0372d2ef485e56382
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date:   Mon Sep 6 21:49:09 2010 -0400

    fix cve-2010-2646

diff --git a/debian/changelog b/debian/changelog
index 948b561..9094c21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+webkit (1.2.4-2) unstable; urgency=high
+
+  * fix cve-2010-2646: security origin bypass using IFRAME elements.
+
+ -- Michael Gilbert <michael.s.gilbert at gmail.com>  Mon, 06 Sep 2010 21:36:40 -0400
+
 webkit (1.2.4-1) unstable; urgency=high
 
   * New stable release
diff --git a/debian/patches/cve-2010-2646.patch b/debian/patches/cve-2010-2646.patch
new file mode 100644
index 0000000..7badbde
--- /dev/null
+++ b/debian/patches/cve-2010-2646.patch
@@ -0,0 +1,96 @@
+description: fix cve-2010-2646
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/58873
+Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp	2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp	2010-09-06 21:48:13.000000000 -0400
+@@ -54,8 +54,12 @@
+                 frames.append(frame);
+         }
+ 
+-        for (unsigned i = 0; i < frames.size(); ++i)
+-            frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage()));
++        for (unsigned i = 0; i < frames.size(); ++i) {
++            ExceptionCode ec = 0;
++            Storage* storage = frames[i]->domWindow()->sessionStorage(ec);
++            if (!ec)
++                frames[i]->document()->enqueueEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage));
++        }
+     } else {
+         // Send events to every page.
+         const HashSet<Page*>& pages = page->group().pages();
+Index: webkit-1.2.4/WebCore/page/DOMWindow.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h	2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.h	2010-09-06 21:47:06.000000000 -0400
+@@ -206,7 +206,7 @@
+ 
+ #if ENABLE(DOM_STORAGE)
+         // HTML 5 key/value storage
+-        Storage* sessionStorage() const;
++        Storage* sessionStorage(ExceptionCode&) const;
+         Storage* localStorage(ExceptionCode&) const;
+ #endif
+ 
+Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp	2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp	2010-09-06 21:47:06.000000000 -0400
+@@ -567,7 +567,7 @@
+ }
+ 
+ #if ENABLE(DOM_STORAGE)
+-Storage* DOMWindow::sessionStorage() const
++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const
+ {
+     if (m_sessionStorage)
+         return m_sessionStorage.get();
+@@ -576,6 +576,11 @@
+     if (!document)
+         return 0;
+ 
++    if (!document->securityOrigin()->canAccessLocalStorage()) {
++        ec = SECURITY_ERR;
++        return 0;
++    }
++
+     Page* page = document->page();
+     if (!page)
+         return 0;
+@@ -593,16 +598,16 @@
+ {
+     if (m_localStorage)
+         return m_localStorage.get();
+-    
++
+     Document* document = this->document();
+     if (!document)
+         return 0;
+-    
++
+     if (!document->securityOrigin()->canAccessLocalStorage()) {
+         ec = SECURITY_ERR;
+         return 0;
+     }
+-        
++
+     Page* page = document->page();
+     if (!page)
+         return 0;
+Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h	2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h	2010-09-06 21:47:06.000000000 -0400
+@@ -120,6 +120,11 @@
+     bool canAccessLocalStorage() const { return !isUnique(); }
+     bool canAccessCookies() const { return !isUnique(); }
+ 
++    // Technically, we should always allow access to sessionStorage, but we
++    // currently don't handle creating a sessionStorage area for unique
++    // origins.
++    bool canAccessSessionStorage() const { return !isUnique(); }
++
+     bool isSecureTransitionTo(const KURL&) const;
+ 
+     // The local SecurityOrigin is the most privileged SecurityOrigin.
diff --git a/debian/patches/series b/debian/patches/series
index 05cfdf1..12314ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 02-pool-fixup-and-sparc-support.patch
 04-spoof-user-agent-to-google.patch
+cve-2010-2646.patch

-- 
WebKit Debian packaging